Attachment has extension *.doc.zip file (to pretend to look like zippeddocument) and inside there is *.doc.lnk.
Instead of the MS office document there is windows shortcut (.lnk), but normal users will most probably see only ".doc", because the common setting on windows is to hide extension of known file types. Link file points to powershell binary and has download script as commandline parameter.

2015-04-08

This blog-post is to compile list of articles and information bits about the Asprox botnet.
Asprox malware is being spread around with phishing emails claiming to be from DHL/Fedex/USPS/American Airlines/Costco/Walmart/Pizza Hut/Home Depot/Target and many others as well. It also likes to claim it is court order, funeral/wedding announcement or missed voicemail from WhatsApp.

2015-03-10

This blog-post is to publish information gathered on the Geodo malware / botnet. Different researches and AV vendors are calling the malware and related botnet with different names - Bugat / Feodo / Cridex / Dridex / Emotet. I use the name Geodo for the malware family as used by the FeodoTracker.abuse.ch as version "C". It seems that the group is using different codebase for the malware downloader of the botnet, but the communication protocols seems to be similar or same. I will try to focus on Geodo, but I will keep references to analysis also the to other related malware families as it can easily turn out I would have to extend the scope.

Once the malware is executed it stores itself persistent with a name that mimics the MS updates and injects internet explorer.
This campaign was switching the internet explorer to offline mode requiring user input, in order to trick the AV sanboxes to not capture the malicious HTTP traffic.